Users of Android smartphones in India are the target of a recent malware campaign that uses social engineering tricks to trick users into installing fake applications that collect private information.
According to a Monday analysis by Microsoft threat intelligence researchers Abhishek Pustakala, Harshita Tripathi, and Shivang Desai, “attackers are using social media platforms like WhatsApp and Telegram to send messages designed to lure users into installing a malicious app on their mobile device by impersonating legitimate organizations, such as banks, government services, and utilities.”
The operation’s main objective is to get personal information such as account credentials, payment card information, and banking information.
By pretending to be banking apps and threatening to block the targets’ bank accounts unless they update their permanent account number (PAN) issued by the Indian Income Tax Department through the phony app, the attack chains involve spreading malicious APK files through social media messages sent on WhatsApp and Telegram.
After the software is installed, it asks the victim to enter their online banking credentials, PAN card numbers, debit card PIN, and bank account information. These details are then sent to a hard-coded phone number and an actor-controlled command-and-control (C2) server.
“Once all the requested details are submitted, a suspicious note appears stating that the details are being verified to update KYC,” the investigators reported.
“The user is advised not to remove or delete the program and to wait 30 minutes. The application also has the ability to conceal its icon, which makes it vanish from the user’s device’s home screen while continuing to operate in the background.”
The virus also has a noteworthy feature that asks the user to allow it to read and transmit SMS messages. This allows the malware to intercept one-time passwords (OTPs) and send messages from victims to the threat actor’s phone number.
It has also been revealed that variations of the banking malware that Microsoft identified may steal credit card information, personally identifying information (PII), and incoming SMS messages, leaving unwary users vulnerable to financial theft.
It’s important to remember, though, that in order for these assaults to succeed, users will need to allow the installation of apps from unidentified sources other than the Google Play Store.
“Mobile banking trojan infections can pose significant risks to users’ personal information, privacy, device integrity, and financial security,” according to the researchers. “These threats can often disguise themselves as legitimate apps and deploy social engineering tactics to achieve their goals and steal users’ sensitive data and financial assets.”
This development coincides with the SpyNote trojan’s onslaught on the Android ecosystem, which has been targeting Roblox users by pretending to be a mod in order to steal private data.
In another case, people are being tricked into installing an Android spyware called Enchant, which is particularly designed to steal data from bitcoin wallets, by using phony sexual websites as baits.
“Enchant malware uses the accessibility service feature to target specific cryptocurrency wallets, including imToken, OKX, Bitpie Wallet, and TokenPocket wallet,” Cyble stated in an earlier article.
“Its primary objective is to steal critical information such as wallet addresses, mnemonic phrases, wallet asset details, wallet passwords, and private keys from compromised devices.”
Doctor Web discovered a number of malicious applications on the Google Play Store last month. These apps encouraged investment frauds by posing as trading software (FakeApp), hidden adverts (HiddenAds), and uninvited premium service subscriptions (Joker).
Google has announced new security capabilities, including real-time code-level screening for newly discovered applications, in response to the surge of Android malware. Along with Android 13, it also introduced limited settings, which forbid apps from accessing important device settings (including accessibility) unless the user specifically grants them permission to do so.
It goes beyond Google. In late October 2023, Samsung debuted a new feature called Auto Blocker, which inhibits hazardous instructions and software downloads via the USB connection and stops apps from being installed from stores other than the Galaxy Store and Google Play Store.
Users are urged to verify the validity of app developers, read reviews, and carefully consider the permissions that apps require in order to prevent installing dangerous software from Google Play and other reliable sources.
